Sensitive data is being leaked from servers running Salesforce software

Software
Stylized image of rows of padlocks.

Servers running software sold by Salesforce are leaking sensitive data managed by government agencies, banks and other organizations, according to a post published Friday by KrebsOnSecurity.

At least five separate sites run by the state of Vermont permitted access to sensitive data to anyone, Brian Krebs reported. The state’s Pandemic Unemployment Assistance program was among those affected. It exposed applicants’ full names, Social Security numbers, addresses, phone numbers, email addresses, and bank account numbers. Like the other organizations providing public access to private data, Vermont used Salesforce Community, a cloud-based software product designed to make it easy for organizations to quickly create websites.

Another affected Salesforce customer was Columbus, Ohio-based Huntington Bank. It recently acquired TCF Bank, which used Salesforce Community to process commercial loans. Data fields exposed included names, addresses, Social Security numbers, titles, federal IDs, IP addresses, average monthly payrolls, and loan amounts.

Both the state of Vermont and Huntington Bank learned of the leaks when Krebs contacted them for comment. In both cases, the customers quickly removed public access to the sensitive information.

Salesforce Community websites can be configured to require authentication so that a limited number of authorized people can access sensitive data and internal resources. The sites can also be set up to allow non-authenticated access to anyone for viewing public information. Administrators sometimes inadvertently allow unauthenticated visitors to access website sections intended to be available only to authorized workers.

Salesforce told Krebs that it provides customers with clear guidance on how to configure Salesforce Community to ensure what data is accessible to unauthenticated guests. The company pointed to resources here, here, and here.

Several people have pushed back on that assertion. One person is Vermont’s Chief Information Security Officer Scott Carbee. He told Krebs his team was “frustrated by the permissive nature of the platform.” Another critic is Doug Merrett, who first tried to raise awareness about the ease of misconfiguring Salesforce Community two years ago. On Friday, he elaborated on the problem in a post headlined The Salesforce Community Security Issue.

“The issue was that you are able to ‘hack’ the URL to see standard Salesforce pages – Account, Contact, User, etc.,” Merrett wrote. “This would not really be an issue, except that the admin had not expected you to see the standard pages as they had not added the objects associated with the Aura community navigation and therefore had not created appropriate page layouts to hide fields that they did not want the user to see.”

In Salesforce parlance, Aura refers to reusable components in the user interface that can be applied to selected portions of a web page, from a single line of text to an entire app.

Krebs said that he learned of the leaks from security researcher Charan Akiri, who identified hundreds of organizations with misconfigured Salesforce sites. Akiri said that of the multiple companies and government organizations he notified, only five eventually fixed the problem. None of those were in the government sector.

One organization Krebs notified was the government of Washington, DC, which used Salesforce Community for at least five public DC Health websites and was leaking sensitive information. The interim chief information security officer for the district told Krebs he ran the findings by a third-party consultant brought in to investigate. The third party, the CISO told Krebs, reported back that the sites were not vulnerable to data loss.

Krebs then provided a document showing the Social Security number of a health professional he had downloaded from DC Health as he was interviewing the CISO. The CISO then acknowledged his team had overlooked some of the configuration settings.